Comprehensive Risk Assessment

Comprehensive Privacy and Security Assessment’s.

The HIPAA Act requires all healthcare organizations to conduct an annual Risk Assessment with quarterly reviews.  MD Technology Services, LLC is here to assist you!  Bruce Miller is the resident auditor and has been affiliated with MDTS for over ten years.  He has over 25 years of Health Care Information Technology experience in a managerial role for two health systems providing guidance and oversite.

  • We will require a comprehensive inventory of all equipment that could have confidential or ePHI.
    • This includes PC’s, laptops, tablets, smart phones, and printing/faxing devices.
  • The first phase of the assessment will be for discovery as we perform a practice summary identifying all key stake holders and systems.
  • We perform an in-depth policy and procedure’s review of your organization.
  • Site walkthroughs are a great tool for leadership to validate their locations and staff are compliant.
    • We begin with the server/network closet or location where your infrastructure is located.
      • We will look for power, cooling, neatness, backup systems, data wiring, and security.
    • We survey patient care and staff work areas
    • We look for monitor placement, doors are locked that should be
    • Evidence of PHI being left out and visible
    • User logon information being posted or hidden,
    • Overall facility safety and security.
    • If so desired, we can also ask questions and survey staff about organizational policies and procedures.
  • We will then move into a detailed list of 36 screening questions where we will address each line with: if it has been addressed, partially addressed or not addressed, people/processes and technology.
  • Followed by responding to 26 control analysis questions.
    • It helps if you have documentation, logs, and screen shots that will help validate.
  • Then we will review the Technology Steps when we respond to 20 questions that identify the Asset Management Categories,
    • existing controls in place, what is the controls effectiveness
    • followed by the exposure potential, likelihood, impact and risk rating.
  • The next step is the High and Medium Risk Findings and Remediation where we respond to 57 questions pertaining to the risk, existing control measures,
    • Recommended control measures
    • Who is responsible
    • The steps to be taken to remediate the risk and expected target date to comply that the practice is comfortable with.
  • We will review your server/network closet or location where your infrastructure is located. We will look at power, cooling, neatness, backup systems, data wiring, and security.

The final process will be performed offsite for a detailed final review and summation report to be generated for the practice. and followed by an onsite wrap up meeting.

MDTS is also available to provide assistance with policy & procedure creation/ maintenance, Disaster Recovery/Business Continuity and or HIPAA related training as a project add on at an additional cost.  We also have a full range of manager services available including network, server, desktop & backup/recovery solutions.

Please refer to our website for more information at, or send an email to  We thank you for your time and consideration and look forward to working with your organization.